SOC for Cybersecurity: An Answer to Leadership’s Cybersecurity Responsibilities

Business leaders, executives, and directors are understandably uneasy about the state of cybersecurity in their companies. Each week, another company’s good name is dragged through mud by the press on news of a cyberattack. Not only do these organizations spend a great deal of hard-earned money responding to the breach, but the long-term impact of brand damage and lost customers is where most companies feel the biggest hurt.

Class-action lawsuits against Equifax will reportedly seek as much as $70 billion in damages, which likely exceeds their cyber insurance coverage levels by several thousand percent. In the days following the disclosure of the data breach, Equifax hemorrhaged over 36% of its market capital. As if that wasn’t enough, the press coverage continued as their CEO was hauled before Congress where he faced a firing squad of lawmakers eager to endlessly alternate between wagging and pointing their fingers, further adding to the negative press.

These cases and the many others we hear about each week are forcing organizational leaders to the conclusion that they must do more to demonstrate that the organization as a whole and they as individuals are doing enough to guard against the cyber threat.

Organizational Cyber Defenses

To do more, they first need a clear understanding of what cyber defenses are in place today and how well they function. But what can and should they do?

The Description Criteria’s standardized format is intended to ease the burden on boards and leaders who may need to review a variety of these cybersecurity risk management program descriptions. If they all look the same, they will be easier to parse. Additionally, the standardized format will allow CPA firms with cybersecurity expertise to efficiently assist management in preparing these descriptions while not re-inventing the wheel with each new engagement.

The AICPA recognizes that cybersecurity frameworks, such as the NIST Cybersecurity Framework and CIS Top 20 Controls for Cyber Defense, have proliferated. Different organizations and different industries may use different cybersecurity frameworks to guide their cyber risk management programs. As a result, the AICPA’s new guidance is framework agnostic. It allows organizations to use any framework that is “suitable and available” when describing their cybersecurity risk management program.

Some stakeholders, internal or external, may require additional assurances, beyond the description provided by management, that an independent party has evaluated the cybersecurity risk management program. Again, the AICPA has provided guidance that is not dissimilar from the System and Organization Controls (SOC)[1] audits that CPAs have been performing in some form for decades. Like the popular SOC 1 and SOC 2, this new examination level report is called the SOC for Cybersecurity. Like its siblings, it requires a management assertion that the internal controls within the cybersecurity risk management program are operating effectively. The auditor then tests those controls and issues an opinion covering two areas:

That management’s description is presented in accordance with the AICPA’s description criteria

That the controls within the risk management program were effective enough to achieve management’s cybersecurity risk management goals

The AICPA has invested heavily in creating the truly forward-thinking Description Criteria and associated assurance products. They recognize that full-service accounting firms have been deeply involved with organizational information technology controls since Sarbanes-Oxley, and that the firms with a strong IT and cyber skillset are well-equipped to meet many of their clients’ cybersecurity needs. As the cyber threat grows, organizational leaders, officers, and directors will be expected to have taken an active role in the cybersecurity of the organizations they control, and the new products developed by the AICPA appear to be an excellent step towards meeting those expectations.

Our Risk Advisory Services practice is designed to assist companies with the identification of risks that have a significant impact on their business including financial, operational and compliance risks, and with developing sound, cost effective controls to mitigate those risks. We provide integrated services, including SOC audits and cybersecurity services that help public and private companies to identify and manage their risks. Contact us. Our Risk Advisory Services team can help.

[1] The AICPA recently changed the SOC acronym. It used to stand for Service Organization Control. Today it stands for System and Organization Controls.

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.